| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9ac22d4d-c841-651a-fdd5-9fb3a65c57ab@gmail.com>
Date: Thu, 28 Oct 2021 14:24:38 -0700
From: Eric Dumazet <eric.dumazet@...il.com>
To: Jens Axboe <axboe@...nel.dk>, Hao Xu <haoxu@...ux.alibaba.com>
Cc: LKML <linux-kernel@...r.kernel.org>,
Eric Dumazet <edumazet@...gle.com>
Subject: [BUG] About "io_uring: add more uring info to fdinfo for debug"
Hi
I was looking at commit 83f84356bc8f2d
("io_uring: add more uring info to fdinfo for debug") after receiving
syzbot reports.
I suspect that the following :
+ for (i = cached_sq_head; i < sq_tail; i++) {
+ unsigned int sq_idx = READ_ONCE(ctx->sq_array[i & sq_mask]);
+
+ if (likely(sq_idx <= sq_mask)) {
+ struct io_uring_sqe *sqe = &ctx->sq_sqes[sq_idx];
+
+ seq_printf(m, "%5u: opcode:%d, fd:%d, flags:%x, user_data:%llu\n",
+ sq_idx, sqe->opcode, sqe->fd, sqe->flags, sqe->user_data);
+ }
+ }
Can loop around ~2^32 times if sq_tail is close to ~0U
I see various READ_ONCE(), which are probably not good enough.
At very minimum I would handling wrapping...
diff --git a/fs/io_uring.c b/fs/io_uring.c
index f37de99254bf8e0b8364b267388d1056fce436a4..50493f5c004b70cff103e20bf4b1ba92304eddb9 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -10117,7 +10117,7 @@ static __cold void __io_uring_show_fdinfo(struct io_ring_ctx *ctx,
struct io_overflow_cqe *ocqe;
struct io_rings *r = ctx->rings;
unsigned int sq_mask = ctx->sq_entries - 1, cq_mask = ctx->cq_entries - 1;
- unsigned int cached_sq_head = ctx->cached_sq_head;
+ unsigned int cached_sq_head = READ_ONCE(ctx->cached_sq_head);
unsigned int cached_cq_tail = ctx->cached_cq_tail;
unsigned int sq_head = READ_ONCE(r->sq.head);
unsigned int sq_tail = READ_ONCE(r->sq.tail);
@@ -10139,7 +10139,7 @@ static __cold void __io_uring_show_fdinfo(struct io_ring_ctx *ctx,
seq_printf(m, "CqTail:\t%u\n", cq_tail & cq_mask);
seq_printf(m, "CachedCqTail:\t%u\n", cached_cq_tail & cq_mask);
seq_printf(m, "SQEs:\t%u\n", sq_tail - cached_sq_head);
- for (i = cached_sq_head; i < sq_tail; i++) {
+ for (i = cached_sq_head; (int)(i - sq_tail) < 0; i++) {
unsigned int sq_idx = READ_ONCE(ctx->sq_array[i & sq_mask]);
if (likely(sq_idx <= sq_mask)) {
Powered by blists - more mailing lists